Add CVE-2021-3449 for openssl-src (#882)

2026-01-02 17:46:38 +01:00 · 2021-05-01 10:30:25 +02:00
parent 3dcdf93d52
commit 43778319e4
1 changed files with 25 additions and 0 deletions
--- a/crates/openssl-src/RUSTSEC-0000-0000.md
+++ b/crates/openssl-src/RUSTSEC-0000-0000.md
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "openssl-src"
+aliases = ["CVE-2021-3449"]
+categories = ["denial-of-service"]
+date = "2021-05-01"
+url = "https://www.openssl.org/news/secadv/20210325.txt"
+
+[versions]
+patched = [">= 111.15"]
+```
+
+# NULL pointer deref in signature_algorithms processing
+
+An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
+ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
+the signature_algorithms extension (where it was present in the initial
+ClientHello), but includes a signature_algorithms_cert extension then a NULL
+pointer dereference will result, leading to a crash and a denial of service
+attack.
+
+A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which
+is the default configuration). OpenSSL TLS clients are not impacted by this
+issue.